Problem with data fetching from database using session mechanism

i want to fetch rows from database and display them as output on a php scripted web page ...the rows which are the result of the matching entered data in a text box in the form with the table in a database but its somehow not happening....below is some code i use..1) this is the form ....

2) this is the php code for the form
$nor=mysql_num_rows(mysql_query("select * from bus where to_here='".$_POST['to']."' and from_here='".$_POST['from']."'"));
if($nor>0)
{
$_SESSION['from'] = $_POST['from'];
header("Location:searched_bus.php");
}

3) and this is the actual php code through which i want to fetch rows from the database and display as output .....

below is the query which i use in the same php script of above......
$sql = "SELECT id, from_here, to_here, ac, nonac FROM bus WHERE image= '".$_POST['depart']."' AND fair = '".$_POST['return']."'";

when i dont use $_POST[] and use the typical where clause then it works fine but when i use $_POST[] then it doesnt work so i think the problem is in my understanding of using sessions and session variables.

Right now, you're giving the whole world direct access to your database system and possibly the whole server. You need to fix that.

Apart from that, I have a hard time understanding your code. So the third script is searched_bus.php which you redirect to after you've processed the form? Then where are the POST values supposed to come from? You never send data to that script.

Why can’t I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

I completely agree with Jacques. Fix your security holes before going any farther. Seriously. They will be exponentially harder to fix the more code you write.

Go do it. We'll wait.

That being said, your code in number 3 makes me shudder a bit. Why are you directing traffic based on session contents? That's probably a bad idea, but outside of that, it indicates that you probably have a bad design going. Why load a page that checks session data and then loads a different page? Why not just direct your traffic wherever the session data is being set in the first place? It just seems like this might be indicative of a poor underlying design.

In addition to the security stuff already mentioned (and maybe this has been too) you should not be putting POST values directly in to your queries. Big no-no. At the very least, you should use prepared statements for this. You're opening yourself up to a world of problems. Since POST data is easy to change and spoof, you can't even count on front-end validation for protection.

reply

hey first of all thanks for ur response.....................actually i m trying to match the form data with the database ....if the rows containing the data exists in the database then i want to display those rows in my searched_bus.php file .......and i m just a trainee in php......working on a localhost server yet at this time.

the code which i use and as i tried to explain above works but it displays the whole table in the searched_bus.php.......instead i want to display just the rows which are containing the data relevant to which i entered into the form and my form file name is homepage1.php..............i m just confused......but still trying ......i m learning and knowing more things in detail

Well, like we already said, you first need to get your database code right and fix the security holes. That's the very first step.

When that's done, you should post your complete code and explain it a bit more. Right now, it doesn't make a lot of sense. You said you want to select database rows based on the values of a form. But instead of simply sending the form data to the target script (searched_bus.php), you send it to some other script (linkpage.php), store some (but not all) form data in the session and then redirect to the actual script. In this script, however, you don't seem to use the session values but instead try to access the original POST values (which no longer exist at this point). Um, what?

Using POST isn't really appropriate here, anyway. This is about fetching data, so you should be using GET.

Comments on this post

Why can’t I use certain words like "drop" as part of my Security Question answers?
There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".